My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Survey of CUPS exploit attempts

Published: 2024-10-04. Last Updated: 2024-10-04 14:59:51 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

It is about a week since the release of the four CUPS remote code execution vulnerabilities. After the vulnerabilities became known, I configured one of our honeypots that watches a larger set of IPs to specifically collect UDP packets to port 631. Here is a quick summary of the results.

We do see plenty of scanning to enumerate vulnerable systems, but at this point, no evidence of actual exploitations. But the honeypot is not responding to these requests, so we may be missing post-recon attempts to exploit the vulnerability

Top URLs

http://192.34.63.88:5674/printers/securitytest3/

The website is down now, but used to show a message that this is a scan to evaluate systems for research purposes. We do no t have a prior history from this IP address.

http://194.113.74.187:631/printers/amongus

Also no longer responding. The IP address is associated with security researcher Bill Demirkapi.

http://80.94.95.85:65000/printers/YmVuaWduYmUK "location_field" "info_field"

The string at the end of the URL decoded to "benignbe". The IP address was first seen last August scanning for various ports. The URL is no longer responding.

http://34.176.139.243/printers/YmVuaWducHJpbnRlcnMK "location_field" "info_field"

Note the similar base64 encoded string. This one decoded to "benignprinters". 

http://t828r8qoegavzdeaqtn5jd9umlsdg34s.oastify.com/printers/research_cups_if_we_find_you_are_vulnerable_we_will_let_you_know_via_responsible_disclosure

The URL hopefully identifies the purpose of the scan correctly :) . Oastify.com is used by the Burp collaboration server.

http://172.214.128.90:65000/printers/YmVuaWduYmUK "location_field" "info_field"

Another "benignbe" URL. Interestingly a Microsoft/GitHub IP address.

http://87.236.176.146:631/classes/2ef46bd9-ae8f4743 (and similar URLs with varying random end)

This IP is associated with internet-measurement.com.

So far, I only saw two "ipp" URLs:

ipp://146.70.100.229:80/printers/ "XXlocation" "XXinfo" "XXmake-and-model"

and 

ipp://199.247.0.94:631/printers/test

I will try to setup some automated responses soon to get a bit more detail.

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
0 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

Login here to join the discussion.


Top of page
Diary Archives